> Activists also use virtual private networks, which can minimize data collected about browsing, and encourage Polish women to contact them on encrypted channels like Signal. They delete all online conversations after the person has had the abortion and caution the person not to post on social media about their experiences, after some faced online harassment. One organization that provides funds for Polish people to get the procedure in Germany pays abortion clinics directly, rather than providing funds to patients, to ensure there are no digital records.
I don't understand why this paragraph is buried in the middle of the article. It should be a prominently featured tooltip.
I don't understand the cognitive dissonance seemingly on display by the game collector throughout the article:
> He’d had a kind of philanthropic hubris as an owner and collector, someone who never gave a second thought to keeping his legendary game collection a secret. He’d gladly let YouTubers film in the back; he would even open the safe back there and show them, item by item, his Louvre. Other collectors had rare games, sure, but in the back room of his store, and especially in the safe, he was proud to own 10,000 of what he described as “cherry” copies—his preferred term for virgin condition.
and again...
> And though the value of retro games had exploded in the past few years, he’d never been concerned about the safety of the thousands of games from his legendary collection—some of the most valuable video games on earth.
and yet again...
> Though the vault door didn’t work then and was mainly for show, that anything behind it could be, would be, stolen seemed unimaginable.
It is repeated time and time again that these items are valuable, that the collector was keenly aware that they are extremely valuable, and yet he also repeatedly seemed to refuse to acknowledge that you need to take steps to protect valuables, and the more valuable something is the more steps you need to take to protect it.
I don't want to 'victim blame', suffering a burglary is a horrible experience, but it is one compounded by foolhardiness.
The guy advertised to the world on youtube his collection, where/how it was located, and so on.
Stored that collection in an area anyone could locate with a google search.
Did not have agreed value insurance for the collectable games, likely because he was worried about documenting the collection to avoid taxes.
The vault/safe were non-functional.
There were no interior or exterior video cameras.
Considered collectable items his "retirement plan" (again, avoiding taxes would be my guess.)
Absolutely insane. At least he seems to have landed on his feet - he's now employed as a video game grader by CGC.
The other thing that is insane is that over and over the other video game store owners strongly suspected or knew what was going on, had had opportunities to call police, and plenty of ability to stall the thieves. One of several examples:
> Again, Jackson declined to provide any ID. While Young pretended to look up prices—he had no intention of purchasing any of the games—he told a colleague to take a picture of Jackson’s license plate. Young remembered reading about Trade-N-Games, and he called Brassard.
Oh. My. God.
Call. The. FUCKING. POLICE. In many states you don't even have to call - you can text, so it just looks like you're fucking around on your cell phone.
On the other hand it might take multiple thefts to learn the lesson for some people. When I was a kid/teenager, someone stole my bike and the police found it(yay small town) abandoned several blocks away. Of course it took my sister and brother-in-law pretending to steal it for me to really learn.
Our house was burgled a few years back and it certainly served as a wake up call. My room was untouched somehow whilst my roommates gaming pc and anything else electronic was taken.
At the time my backups were all sitting next to my computer, encrypted but physically present. That day I started to appreciate the value of offsite backups for personal data and adjusted my strategy
> This is a public blockchain analytics service that has nothing to do with Coinbase's other services.
Are you familiar with the concept of parallel construction? It's a tactic LEOs use when they don't want to reveal how they actually obtained information. For instance, if they obtain information using method A, but want to conceal method A, they state that they actually obtained the information using method B (because the information actually is, after the fact, obtainable via method B as well, once you know what to look for).
In Coinbase's case the way this would work is Coinbase sources data from their internal databases (method A), and then after the fact they do let's say a Google search or some other public search for the names or whatever they found in their internal databases, and state that all data is sourced from online, publicly available data (method B).
Since the article is already based on a leak (or something that is presented as one), one would expect that if this was the case, there would at least be an anonymous source claiming so.
Given that all the article is mentioning is "they're selling blockchain analysis software", it's very plausible that that's what they're selling. When the feds want specific info on a specific address/account, they're going to get a subpoena and get KYC data and logs anyways.
I am not making a claim, I am laying out how the process could hypothetically occur, hence the use of "would" in my post.
I'm curious, however, why did you not make a similar post to the parent comment...in that the parent comment has presented no evidence whatsoever to support the claim that Coinbase is only using publicly-available information, and therefore by your own reasoning the parent poster should not make the claim.
> Coinbase Tracer allows clients, in both government and the private sector, to trace transactions through the blockchain, a distributed ledger of transactions integral to cryptocurrency use.
Because both the parent comment and I have read the article, so we both have evidence to support the claim that Coinbase is only using publicly-available information, as that's how Coinbase Tracer, the license to which was reported as sold to ICE for $29,000, works.
I think the person you’re talking to is theorizing about the possibility that Coinbase may not be completely honest in their statement about the nature of the service they provide to ICE. The article does not provide proof aside from repeating Coinbase’s statement.
If your standard of proof is “somebody wrote something online,” then GP provided you with proof that it’s possible that Coinbase lied.
I’m not sure how this is unclear. If Coinbase wrote a paragraph about their practices and that paragraph is “proof” of their practices, why wouldn’t another party writing a paragraph constitute “proof” of their position?
The topic of this sentence is “the definition of proof.”
Okay, there are words saying that “maybe Coinbase’s work with ICE is more sinister than they divulged.”
Those are words online! That’s evidence! You cannot refute that someone wrote those words. I know that those are words online because I wrote them! Now you have evidence and testimony.
The funny part about all this is that nobody is claiming that they know that Coinbase is lying about this contract. It’s all been entirely hypothetical (hence the word “maybe.”)
What evidence or proof have you seen that there exists no possibility of a corporation lying about their relationship with a controversial government agency?
Rational thinkers accept corporate press releases as canonical truth, got it. Even mildly considering the possibility of being lied to is a sign of poor coognitive function. This is a very enlightened view of the world, I hope one day to reach this level of intellect.
Privacy is important because these hypotheticals are enabled by the lack of it, you don't need to ask if, to give a more extreme example, unrestricted backdoor access to your account login to law enforcement agencies has been used for arbitrary surveillance, you demand that these things not be done so you don't have to find out years later.
> TikTok and Douyin do not appear to exhibit overtly malicious behavior similar to those exhibited by malware. We did not observe either app collecting contact lists, recording and sending photos, audio, videos or geolocation coordinates without user permission.
And if there's any organization I trust about this sort of thing, it's Citizen lab, owing to their groundbreaking work around Pegasus and other APTs.
This is a weird take. Americans are free to not support military interventions planned by their country. To imply that this stance is only possible with brain washing by China is something I wasn’t expecting to see on HN. Heck, it is usually the opposite. People become avid supporters of current war/invasion/intervention due to intense propaganda by traditional and social media.
I would applaud the American youth if your post ever becomes reality.
You would expect resistance the same as any other military intervention has. However the magnitude of the that resistance given what is at stake is what would be telling.
I mean, why would the USA get into it? It’s an off topic question, but what do we gain from an independent Taiwan that’s worth getting into a war with China when we have so many issues domestically that need those resources?
The USA has an agreement with Taiwan which promises that we help them in some way.
The act further stipulates that the United States will "consider any effort to determine the future of Taiwan by other than peaceful means, including by boycotts or embargoes, a threat to the peace and security of the Western Pacific area and of grave concern to the United States".
The act requires the United States to have a policy "to provide Taiwan with arms of a defensive character", and "to maintain the capacity of the United States to resist any resort to force or other forms of coercion that would jeopardize the security, or the social or economic system, of the people on Taiwan." Successive U.S. administrations have sold arms to Taiwan in compliance with the Taiwan Relations Act despite demands from the PRC that the U.S. follow the legally non-binding Three Joint Communiques and the U.S. government's proclaimed One-China policy (which differs from the PRC's interpretation of its one-China principle).
Obviously, it's not something as strong as NATO but we will definitely get involved.
Traditionally nothing. However Taiwan became the centre of semi-conductor manufacturing and research such that it is now crucial to the national security of almost every nation, not just the US.
However the real reason why Taiwan can't either fall to China militarily or re-unite with China peacefully is that Taiwan forms the centre of the "Island Chain Strategy" which is a containment strategy established by the US after the PRC came to power in the Chinese mainland and ROC was relegated to Taiwan.
The Island Chain serves to contain the PLA Navy such that China can't operate as a Blue Ocean navy, i.e operate in international seas/oceans. Additionally it sets up a small number of chokepoints that can be used to completely isolate shipping in/out of China so they will alway be able to apply economic pressure through blockade.
This is the -real- source of tension between China and the "West" (even though it's really just the US/Australia/Japan in this case, China is relatively friendly with European countries etc).
If China was able to do the same thing to the US you can imagine the US would be pretty uncomfortable with that situation too.
Without being able to operate freely in the Pacific China's own nuclear deterrence is less effective as they aren't able to move nuclear ballistic subs without detection outside of the containment. This generally means needing bigger, more capable (read MIRV) ICBMs. Also generally means development of containment busting weapons, namely hypersonic nuclear tipped carrier-battle-group destroying missiles. They need effective nuclear deterrence to ensure their nuclear capability can't be disabled in a first strike. Specifically because their main adversaries are the US and Russia (yes, Russia is traditionally a Chinese adversary) both of which have significant nuclear assets so they need their own to ensure MAD is in place.
TLDR: If Taiwan was to come under Chinese control either by force or peacefully it would break a decades long containment strategy by the US, securing Chinese access to the Pacific for both trade and the PLAN.
But if we're not being sardonic a holes, we should be fighting with a Democratic and free government against an autocratic dictatorship whose stated goals are to restore the 'righteous' historical vision of China as the center of the world (it's even the name as far as what I've read, not a speaker of the language: 中国).
Not only is it critical geopolitically and militarily (as in ability to control important & huge swaths of seal / trade routes), ceding ground or worse not putting up a fight at all, would be the death knell of the push for more liberal governments and more freedom.
As always on any topic of Xi or CCP there are a whole bunch of 'but whatabout america.' It's just tiring.
Then you should find some people that voluntarily (ie, not at gunpoint) want that society, and live there. That's actually one of the great things about modern western society, it's very tolerant of people who want their own societies (as long as they aren't trying to impose them on everyone else).
Obviously the Taiwanese aren't interested in living under the boot of the CCP. It's an interesting question what mainland Chinese would want if they didn't have the gun pointing at their head.
Also, what on earth is traditional western society? Like, Greek?
> Also, what on earth is traditional western society? Like, Greek?
There is some question as to what constitutes "Chinese society" too.
Do you use simplified or traditional characters? Must you simply respect your elders, or do you also need to be subservient to them? Can you trade with the west? Become successful without prior approval? Protest peacefully? Own property?
Japan, South Korea, the Philippines, etc. would all turn their backs on the US if the US lets a liberal democracy fall to an authoritarian state LARPing as Communists.
All videos get assigned a 0-1 anti- vs pro-CCP score.
Videos with a >0.5 score get a slightly (~5%) better chance of being shown, and <0.5 is slightly penalized.
This would be undetectable if the algorithm is run off device. Anti-CCP content would still play often.
But on the massive scale TikTok runs, this would still tilt opinion favorably towards CCP.
Yeah, I'm aware of the any number of infinite Evil China (TM) hypotheticals. Let's put the sinophobia on hold for just a second, and answer my question: what are the practical (meaning documented) privacy/security concerns with TikTok? I linked to a report from a (gasp, Western) group showing that there weren't any, but I'm aware that the report is a year old, so I'm very interested in documented recent information, not just mindless anti-China ranting.
"documented". Unfortunately TikTok is closed source & proprietary. Though some privacy/security concerns can be gleaned via inspection of the binary and by viewing its network packets and such, it is still a black box running inside everyone's pocket.
>> could push propaganda or other material to demoralize the West.
>Not necessary. Our governments are doing a great job of this already.
I'd say it's a bit more nuanced than that - foreign countries are already quite active even when most don't realize it. Major political moves have been influenced by foreign country/ies, regardless of which side of the Atlantic you are - see both Brexit and the 2016 US elections.
There is zero to worry about privacy because out of these social network apps, TikTok is the least invasive and doesn't really have much private information about users at all.
About security, US may worry about what such a powerful platform can influence users. Think about how people were saying about Facebook when Trump was elected. And how US has been using Facebook in other countries to influence people.
Not all malware is the same. If there was a malware bit of code that did nothing that brought attention to itself as it silently sat there retransmitting every piece of data you entered, every interaction with every website, every document created, etc, the owner of that malware would have access to so much information that they could so so many things with that data that may or may not directly affect the user of that device. That would not make that malware any less vile just because it didn't encrypt user data or something obviously hostile to the user like that attracting attention to itself. That type of malware is almost there with social media SDKs used in websites, apps, etc.
There are ways that I can't even imagine that other people can imagine how to use that data for nefarious means.
Why is MIT? Do you not have an issue with them also getting funding from the American defense department? Or if you're concerned with the open web, do you not remember when they persecuted Aaron Swartz for the heinous crime of downloading knowledge?
> You're going really hard in the paint to defend Chinese genocide of Muslim Turkic people.
Where did I do so? Please either provide a quote of me doing so, or retract your statement as it otherwise amounts to libel.
To clarify if somehow you managed to misinterpret my comments: I am in no way defending any $bad_shit that China does/has done, I am pointing out that the other nations involved have likewise done so, and therefore focusing on just one nation is disingenous because it gives all the others a pass.
The war on the free and open web has been waged just as much, if not more so, by Western powers as it has by Eastern ones.
> or retract your statement as it otherwise amounts to libel.
You may not be very familiar with Hacker News. The parent issued an opinion about your behavior in commenting. Commanding them to retract it or else, isn't going to work here.
> But the simpler fix here is just to require password reset emails, not to mandate multi-factor authentication.
Password resets lead to iterative passwords, which lead to password reuse, which lead to email compromise, which leads to it being pointless to use email as some ersatz second factor.
If we want to move towards a world where phishing attacks and password breaches are obsolete, then we need to press full-throttle to mandating hardware security keys for all accounts.
It is very much the FTC's place to require companies to live up to the commitments they've made to customers, and probably, more broadly, to make sure they live up to the implied commitments of universal industry best practices. It is less clear that FTC has the authority to turn random companies into test cases for the elimination of phishing attacks.
The practices CafePress had prior to its breach were clearly inadequate, and justifiably actionable. They authenticated users with password-equivalent "security questions", which they (of course) stored in clear text. Storing cleartext password reset secrets contravenes universal industry best practices, and, really, so does the use of "security questions" at all --- though many banks still do.
But requiring 2FA tokens is not a universal practice. Moreover, deployed over a whole userbase, it doesn't really address the concerns that lead to or were revealed by this breach. Managing 2FA for non-technical end users --- that's the kind CafePress serves --- is extraordinarily difficult. People lose tokens, 2FA codes are phishable, account recovery remains the most difficult problem in computer security, and so on.
So yes, it is weird to me to see the FTC suggest that the appropriate solution to a broken authentication system with security question is "make people use 2FA tokens". The universal best practice solution to the specific problem the security tokens solved is "password reset emails that prove custody of a trusted email account". The demand from the FTC exceeds that best practice. That's interesting, and so I called it out.
We don't know each other, so it probably bears saying that I am foursquare supportive of 2FA. I'm supportive of a lot of things the FTC would no doubt love to force companies to do (penetration testing in particular!)
> But requiring 2FA tokens is not a universal practice.
It is not universal practice, but it is industry-standard, so I don't particularly understand why it is surprising that the FTC is recommending that CafePress adhere to industry standards.
2FA is not in fact the industry standard process for account recovery (it's the industry standard problem that causes us to have to spend time on account recovery!), and account recovery is the problem this part of the consent agreement addresses.
> To maintain the integrity of the authentication factors, it is essential that it not be possible to leverage an authentication involving one factor to obtain an authenticator of a different factor. For example, a memorized secret must not be usable to obtain a new list of look-up secrets.
And further:
> Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.
That's the NIST standard definition for out-of-band authenticators. FTC didn't demand out-of-band authenticators, nor is anyone obligated to comply with NIST.
Yes. For obvious reasons, people are more prone to lose 2FA authenticators (be they code generators or hardware keys) than passwords. Both passwords and 2FA mechanisms are customers of account recovery, which is the process that kicks in when you can't log in. Security questions are a particularly bad account recovery system. Reset emails are somewhat better.
Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.
To get a general sense of where we're at as an industry with this, look at the process for what happens when you lose an AWS 2FA secret:
> Again, 2FA isn't an account recovery process at all; it's a reason you need account recovery.
Your reading of the FTC text seems to be that you think the FTC has conflated account recovery with 2FA, but I don't think that's the case. Instead, my read is that they're suggesting that password breaches can be rendered moot points by requiring 2FA for accounts, so that the compromise of a password would not require an account reset in the first place.
I'm reading the plain language of the agreement, which requires the replacement of security questions and answers, and is not in fact a manifesto about the insecurity of passwords writ large.
But technical language aside: a requirement that CafePress fully adopt 2FA also doesn't make sense, because its users will not fully adopt 2FA. The users that can't 2FA are the interesting case here, and the thing I'm calling out.
I think you think they mean password expiration, not password resets. I don't see how the existence of a "I forgot my password" (password reset) flow leads to reused passwords, though automatically expiring passwords certainly do
Bullshit like this will continue happening en masse until there are mandatory prison sentences for C-suite executives for negligence and malice like this.
As much as we love to imprison people in the US... Maybe just make the expected value of cover up massively negative with fines as significant multiples of actual damage?
It's all Monopoly money to corporations. If there is no fear of an actual corporal punishment, then there is no personal skin in the game, so to speak. An executive who causes a corporation to be fined may worry about losing their job, but they'll be much more worried if the risk is going to prison.
And it's not that we love to imprison people in the US, it's that we love to imprison the wrong people.
>It's all Monopoly money to corporations. If there is no fear of an actual corporal punishment
The Swift Ban was as close to an economic death penalty as you can give a bank, we should do it more often to corporations, public or private, that act the fool
(Looking at you, China, with your manipulation of both CNH and CNY)
Surely you don't mean by this that they don't care about money. Isn't the cynical take normally that corporations are amoral money maximizing juggernauts? Why wouldn't they respond to adequate threats?
It's not that they don't care about money it's that they are less affected by loss.
Once someone earns about 10 million they can live for the rest of their life in a reasonable way without working again. So when you are an executive who has assets of 50 to 70 million and your stock, which was worth 10 mil is now worth 7 mil you aren't hurt that bad.
The company can they raise prices, cut quality, and fire people to reduce costs to make up for the fine. The stock might eventually even go higher than it was before.
What I mean is that executives value their personal livelihoods above money, though the two are often correlated. Therefore the punishment needs to strike at the core, their personal as opposed to financial freedom. "Big" fines for corporations have been around forever, I don't see them changing anything.
If someone makes a big deal out of never killing, and they do multiples of damage to that, some of which causes others to die of depression... then walk them out of their offices in handcuffs, one by one, until they're "nudged" to change their behavior.
I feel just as precarious as I did in 2008. (Moreso since I'm older, and don't have the clean slate young people do but don't have the savings others have on this site despite always trying to make the least wrong decisions I could... but if others don't opt in to giving me income, I can't invest it wisely, full stop.)
I dunno, we seem to issue fines a lot nowadays and the behavior doesn't change.
What even would the the expected value for a fine in this situation? It seems overly complex to calculate as I don't think even the FTC tried to put a value of the damages from the sale of the person information.
Fines or threat of jail time is just trying treating the symptoms. Bigger issue is that companies use SSN as a way to authenticate a user. Government should mandate only allowing SSN for tax identification purposes. Passwords need to go away and with webauth, we are almost there. The average person is re-using the same password across sites so it’s pointless protection.
An e-commerce store hack shouldn’t give hackers the data needed to access customers financial accounts.
It's not them who are the problem. Its financial institutions and other services that use SSN as way to verify a person. You should not be able to setup a cell phone plan by providing a name and a SSN. And credit reporting should not be tied to a SSN. It should just be used to submit tax information to the government and have no value beyond that.
> I dunno, we seem to issue fines a lot nowadays and the behavior doesn't change.
We issue fines, yes. We do not issue fines to an amount that would incentivize behavior change. Most fines from agencies like this, when I see them, tend to be in the <$10 range, when scaled to how "impactful" the fine would be against an average person's income. My father would call a fine that's less than $10 a "toll".
In this particular case, the fined entity is too small for me to know exactly, as I can't find their financials. But the amount doesn't smell large.
In some instances, I've seen agencies level $0 fines against corporations. Literally, all the agency demanded was "stop doing the bad thing, m'kay?"
>We issue fines, yes. We do not issue fines to an amount that would incentivize behavior change.
Who is we? The US?
I see many euros on HN tutting about lax regulation, but no one in the EU seem willing to actually enfore the GDPR and levy a corporate death penalty if their brothers across the pond won't do the needful.
(I'm eligible for an Italian passport Jus sanguinis, though I had intended not to look into it until late in life -- maybe I should abandon my American one, and immediately lobby for the above to my new elected representatives, since everyone I've met from the world of spooks seems to obstruct me out of fear I'll expose their illegal behavior rather than do their damn job well enough I wouldn't notice how they spend their free time.)
Meta/Facebook has given the world React, PyTorch, GraphQL, Jest, and other fantastic technologies, and you are just boiling down their open source efforts to "Facebook wanting free labor."
Not everything in tech is a sinister capitalistic plot. Open Source and Open Research are truly one of the best ways to accelerate technology advancements, in particular software technology advancements.
My concerns with ostensibly privacy-focused Firefox forks:
* Needing to constantly monitor whether the fork is being actively maintained, or if it's a vanity project which abruptly stops/slows down updates when its owner/principal contributors lose interest.
* Needing to constantly monitor if the fork is using the latest official Firefox builds to make sure that it's also getting the latest security updates.
* Not being readily able to see a complete humanly understandable (meaning not just comparing git versions) list of changes that the fork makes to the official build.
* Not knowing the reputation of the developers behind the fork.
In sum, I basically trust Mozilla more than I do $random_fork_developer, so I use the official build and carry out my own tweaks, but I am always on the look out for more tweaks, which is why I'd appreciate if lists of privacy tweaks custom builds do were more transparently shared.
At Netflix, I went down the rabbit hole of package management. We were working on a distributed build system that allowed you to compose immutable builds of ecosystem independent artifacts. After working in that space, and reading the last few decades of LISA papers, I’m fairly confident our industry has gotten package management horribly wrong - and I think your comment cuts right to why.
The two closest build systems I’ve seen to getting it right: Nix (closest) and FreeBSD ports.
I’ll use the i3 window manager as an example. There are plenty of forks of i3 out there (example: adding space between windows, rounded corners, i3bar mods, etc). They’re each packaged and published as separate packages! You can’t compose them even though many of their changes are compatible. This leads to packages like i3-gaps-rounded.
What I really want out of a package manager is “patch support” - where I can publish, discover, share, and consume patches on top of the OSS I use.
Nix gets really close to this. I haven’t invested enough time in learning Nix yet, but it’s on my bucket list. Currently I use FreeBSD and use their ports collection for i3, and put all of my patches in the patch directory there. FreeBSD will apply the patches in order and then build the package for me.
I’m not sure exactly where I’m going with this rant beyond: I wish OSS package management adopted less of a producer-consumer relationship and more of a peer relationship when it comes to source code management and builds.
Gentoo's portage (which is based on freebsd ports to some extent!) also allows patches like this! You just put the patches in /etc/portage/patches/$cat/$pkg(-$ver|:$slot) and it applies them automatically for you! It's also really easy to take an ebuild from the gentoo repo and modify it however you want!
I would definitely recommend giving Gentoo a spin!
The nightmare scenario which we may be hitting? Firefox (which I've always loved and used) may be institutionally so used to surviving how it can by compromising that it loses its way?
I wasn't that much concerned with it until recently. I got into the idea of the whole "website as app," thing (specifically, client-side you turn a website into a self-contained app, with or without the "sites" permission) -- and to find that Firefox had dropped this is disappointing because it feels well within Firefox's mission.
FWIW, presently I'm solving this through GNOME's Epiphany.
Yes, this is a really unfortunate missing piece of functionality for Firefox. I’m currently solving this through Microsoft Edge, but it’s pretty janky (external links open in Edge, so I need to copy and paste them into Firefox).
>Not being readily able to see a complete humanly understandable (meaning not just comparing git versions) list of changes that the fork makes to the official build.
I feel like this is a common thing with forks and alternatives, they usually have a basic list of big differences (like Librewolf with saying it's more private).
But I'd like to know how they do that, are they blocking more cookies? Are they making the browser harder to fingerprint? What am I giving up vs Firefox (ie; sites breaking, or missing features like sync)?
> Firefox security patches are applied to prevent vulnerabilities
Sure, but at what rate? If Mozilla releases a critical patch today, and the core maintainer responsible for build maintenance is away on vacation for two weeks, what happens?
That's the main problem behind FOSS; they are not incentivized to be 100% dedicated to the project. Their FOSS projects are labour of love not labour of money.
You say it is a problem with FOSS projects. Isn't it more a problem with hobby projects? Some FOSS projects are hobby projects others not. As show cased by the fact that Firefox itself is a FOSS project.
Timely maintenance is also problematic with hobby closed-source projects or hobby apps on closed platforms, like iOS and Android.
>You say it is a problem with FOSS projects. Isn't it more a problem with hobby projects? Some FOSS projects are hobby projects others not. As show cased by the fact that Firefox itself is a FOSS project.
Mozilla gets paid $500m a year by Google so that Google can be default search engine on Firefox. They have the money that keeps them "incentivized" although they are FOSS and nonprofit. Or in another words Gitlab and Github FOSS devs do not have salaries like Mozilla people do, the only thing they get is an occasional donation.
One aspect of these forks that never gets mentioned:
It's great when a fork ensures that it is always taking security patches from upstream. But what about the code unique to the fork? Is that new code following the same security practices as the upstream project? Are enough eyeballs poking at it to get it the same security scrutiny as upstream?
> the idea that only the data that needs to be collected for a certain purpose should be collected.
The US has a similar stature, the Paperwork Reduction Act, a "law governing how federal agencies collect information from the American public", with the aim being to "not overwhelm [the public] with unnecessary or duplicative requests for information" and that the data collected be "a good fit for its proposed use" and further still "To respect privacy, we avoid asking for personal information that’s not relevant or necessary."
https://pra.digital.gov/about/
In practice, of course, this is all bullshit and any data that the government cares to collect is rationalized as fitting all those requirements.
So I'm curious if the German Datensprsamkeit is actually effective?
Well... I suspect German Datensparsamkeit is only a figment of the utterly ridiculous digital infrastructure of the german governments, both federal and state ones. Most processes are still carried out via paper or fax (fax!), you have to show up personally for the most insignificant things, every single village has their own records (practically never digital), and every time the government attempts to make a stab towards more digitalisation, big corps waste billions on giant projects that never get finished - we had the attempt to get health insurance (mandatory here) cards with an NFC chip on them that would securely store medical records and grant online access to your data; finally, no more carrying X-Ray CDs from MD to MD or filling out registration forms at the doc. But of course, 10 years later, everyone has a new card, but you can't do anything with it. Someone has earned a lot with it though.
So, all in all, it's not that Germany's government is so privacy conscious, but we're simply stuck in a pre-digital world with no reasonable way to share data.
In my (university IT) circles it is definitely part of the lived culture. IT sees itself as the ally of the users and not a data collector for the management. The management mostly agrees with the principle of data scarcity as well.
I recall one instance where the highest person at a university tried to get all the user's contact tracing data because of some incident (theft), IT explained that their request was not only illegal, but also useless, because the way data was stored would not allow to extract data without going to another official place and requesting the other half of the data which could only be accessed by the health department.
There is a german saying that goes a bit like: "where there is a feeding trough there are pigs". The idea of data scarcity is to avoid putting up things that can be used as food by pigs. So instead of defending data silos, you build them in a way that they don't become targets in the first place because they are of limited use outside of the intended use case.
Judging by the number of politicians complaining about data privacy, it works.
I don't understand why this paragraph is buried in the middle of the article. It should be a prominently featured tooltip.